Deciding on the Best Option for Active Directory

Currently, three options exist for using Penn State Windows Active Directory Service: join as an OU in the ACCESS domain, join as a Child domain, or use a Direct Trust for authentication. Your organization’s best option depends on its organization needs and its supporting capabilities.

OU under the ACCESS domain

This option is recommended for most organizations at the University Park campus. The option allows for an organization to use the Kerberos trust without managing a domain. In this scenario, all domain issues (such as account management, Domain Controller maintenance/management, and infrastructure disaster recovery) are taken care of by ACCESS administrators. Your organization is responsible for managing its client PCs and any services provided from its servers. Most administrative tasks are still possible–you may still manage PCs, servers and Group Policy Objects (GPOs), but slight differences exist for adding machines and creating GPOs in this environment.

Pros:

Easiest to start and implement

Domain administration is taken care of

Domain infrastructure is managed and maintained

Domain infrastructure disaster recovery is taken care of

Account management is taken care of

Direct support of ACCESS admins

Cons:

Least control outside your OU of other options

Global changes such as schema extension must be approved and tested before implementation

Child Domain

This option is recommended for large organizations. If you would prefer to keep local domain controllers but need to leverage central services, then this option would be a good choice. You can leverage account management from central services but still maintain domain administrator privileges.

Pros:

Account management is taken care

Cons:

Global changes such as schema extension must be approved, tested, and implemented

Existing domains can not be forklifted in as child domains

Direct Trust

This option is recommended for organizations that already manage a domain with user accounts in it. This option requires that your organization administer everything. The only support from the ACCESS domains is in setting up the trust.